Researchers Use Ridesharing Cars to Sniff Out a Secret Spying Tool

Law enforcement’s use of the surveillance devices known as stingrays, fake cell towers that can intercept communications and track phones, remains as murky as it is controversial, hidden in non-disclosure agreements and cloak-and-dagger secrecy. But a group of Seattle researchers has found a new method to track those trackers: by recruiting ridesharing vehicles as surveillance devices of their own.

For two months last year, researchers at the University of Washington paid drivers of an unidentified ridesharing service to keep custom-made sensors in the trunks of their cars, converting those vehicles into mobile cellular data collectors. They used the results to map out practically every cell tower in the cities of Seattle and Milwaukee—along with at least two anomalous transmitters they believe were likely stingrays, located at the Seattle office of the US Customs and Immigration Service, and the Seattle-Tacoma Airport.

Beyond identifying those two potential surveillance operations, the researchers say their ridesharing data-collection technique could represent a relatively cheap new way to shed more light on the use of stingrays in urban settings around the world. “We wondered, how can we scale this up to cover an entire city?” says Peter Ney, one of the University of Washington researchers who will present the study at the Privacy Enhancing Technology Symposium in July. He says they were inspired in part by the notion of “wardriving,” the old hacker trick of driving around with a laptop to sniff out insecure Wi-Fi networks. “Actually, cars are a really good mechanism to distribute our sensors around and cast a wide net.”

Ney and Smith installing a SeaGlass sensor box in a car.Dennis Wise/University of Washington

Searching for Stingrays

Stingrays, also known as cell-site simulators or IMSI catchers, have become a powerful but little-understood tool for law enforcement surveillance. They work by tricking phones into connecting with the stingray, instead of a real cell tower, enabling them to intercept communications, track a suspect’s location, and even inject malware onto a target phone.

Police and federal agencies have shared as little information as possible about how and when they use them, even dropping cases against criminal suspects to avoid revealing stingray details. And in many states, the tool still remains legal to use without a search warrant.

In the absence of publicly available stingray information, the University of Washington researchers tried a new technique to find out more. Starting in March of 2016, they paid $25 a week to 15 rideshare-service drivers to carry a suitcase-sized device they called SeaGlass. That sensor box contained about $500 worth of gear the team had assembled, including a GPS module, a GSM cellular modem, a Raspberry Pi minicomputer to assemble the data about which cell towers the modem connects to, a cellular hotspot to upload the resulting data to the group’s server, and an Android phone running an older program called SnoopSnitch, designed by German researchers to serve as another source of cell-tower data collection. The sensor boxes drew their power from the cigarette lighter electric sockets in the cars’ dashboards, and were designed to boot up and start collecting data as soon as the car started.

For the next two months, the researchers collected detailed data about every radio transmitter that connected to SeaGlass modems and Android phones as they moved through the two cities. They identified and mapped out roughly 1,400 cell towers in Seattle, and 700 in Milwaukee. They then combed that data for anomalies, like cell towers that seemed to change location, appeared and disappeared, sent localized weaker signals, appeared to impersonate other towers nearby, or broadcast on a wider range of radio frequencies than the typical cellular tower.

A graph showing the researchers data collection over time, including the unusual number of cell transmitter signals of different frequencies they detected around the Seattle office of the US Customs and Immigration Service. Dennis Wise/University of Washington

Outliers

In those two months of data, the team found three noteworthy anomalies, all in the Seattle area. (They acknowledge that their coverage of Milwaukee may have been too sparse, since only 6 of their 15 drivers were based there, and they didn’t work as long hours as the Seattle drivers.)

Around the Seattle office of the US Customs and Immigration Service, the researchers pinpointed an apparent cell tower that frequently changed the channel on which it broadcast, cycling through six different kinds of signal. That’s far more than any other tower they tested—96 percent of their data showed towers transmitting on just one channel—and represents a telltale sign of a stingray. The devices often broadcast on multiple frequencies, so that they can impersonate a cell tower while broadcasting on a neighboring frequency to avoid interfering with the real tower, the researchers explain.

In another instance, the team spotted clues of a possible stingray at the SeaTac airport. In the midst of thousands of readings at that location that appeared to come from stable, nearby towers, they found one signal that had entirely unique identifiers—unlike any of the other millions of data points they’d collected—and appeared for only a short window of time, around the evening of April 9th, 2016.

The third outlier was a signal that appeared just once at a location in the West Seattle neighborhood, but matched all the identifiers of a cell tower they’d otherwise spotted hundreds of times at another location in downtown Seattle, more than 3 miles away. While that strange data point could be a sign of a stingray briefly appearing at that location, the researchers say it could also be a false positive.

The researchers concede that they don’t have any hard evidence of a stingray being used at either the USCIS office or the airport, only strong hints in their data. But they point to a report by the Detroit News that found FBI and Immigration and Customs Enforcement (ICE) agents used one of the devices to locate and deport an El Salvadorean immigrant with no criminal record other than allegations of drunk driving and a hit-and-run car crash. In the airport, the researchers speculate, a stingray could be a powerful tool for sifting through a large crowd to find a criminal suspect’s phone. “You can imagine they were looking for a person of interest,” says Washington researcher Ian Smith. “They’re very good for figuring out if a person or set of people is in that crowd.”

The researchers say they have no illusion that they’ve found anywhere close to all of the stingray operations in Seattle. They readily admit that their method likely missed many more discreet stingray uses, since it depends on a ridesharing vehicle driving nearby at the exact moment a stingray is turned on. Public records requests have revealed, for instance, that police in neighboring Tacoma used stingrays at least 168 times between 2009 and 2014. But the ridesharing trick can at least begin to track those cases.

One of the SeaGlass sensor boxes tucked into the trunk of a ridesharing car. University of Washington

Finding Accountability

When WIRED reached out to law enforcement agencies to ask about the two possible stingrays, both the Seattle police and the Port of Seattle police responsible for the SeaTac airport denied ownership of any such device at the two locations. A Port of Seattle police spokesperson said the airport police “don’t have one of those,” and a Seattle Police Department spokesperson said “it’s not one of ours.” The FBI didn’t respond to requests for comment, but an ICE spokesperson wrote that ICE agents “use a broad range of lawful investigative techniques in the apprehension of criminal suspects. Cell-site simulators are invaluable law enforcement tools that locate or identify mobile devices during active criminal investigations.” A DEA spokesperson refused to confirm or deny any specific operations, but noted that stingrays are a “lawful investigative tool that can be utilized in the dismantlement of criminal organizations.”

The researchers, for their part, say their intention wasn’t to disrupt any specific law enforcement investigation, which they suggest would likely be over given that they collected their data a year ago. Instead, they say they wanted to pilot a new method to gather generalized data about how and where stingrays are being used. They hope to follow up by combining SeaGlass’s data with corroborating evidence in open record requests and journalistic investigations.

All of that means for just a thousand dollars a month or possibly even less, the Washington researchers argue, academics or activists in a city the size of Seattle can gain valuable information about how stingrays are being used there. “For surveying an entire city, it seems like a reasonably economical first step,” says Smith. And it’s one that could make a still-mysterious, potent law enforcement spy tool far more accountable.